feat: initial release (#1)

.github/settings.yml

@@ -15,11 +15,11 @@ repository:
   # By changing this field, you rename the repository.
 
   # Uncomment this name property and set the name to the current repo name.
-  # name: ""
+  name: "terraform-ibm-key-protect-key"
 
   # The description is displayed under the repository name on the
   # organization page and in the 'About' section of the repository.
 
   # Uncomment this description property
   # and update the description to the current repo description.
-  # description: ""
+  description: "Module for creation of Key Protect keys"

README.md

@@ -128,32 +128,49 @@ statement instead the previous block.
 <!-- BEGIN EXAMPLES HOOK -->
 ## Examples
 
-- [ Default example](examples/default)
-- [ Example that uses existing resources](examples/existing-resources)
-- [ Non default example](examples/non-default)
+- [ End to end example with default values](examples/default)
 <!-- END EXAMPLES HOOK -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
+| <a name="requirement_ibm"></a> [ibm](#requirement\_ibm) | >= 1.45.0 |
 
 ## Modules
 
 No modules.
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [ibm_kms_key.key](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/kms_key) | resource |
+| [ibm_kms_key_policies.root_key_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/kms_key_policies) | resource |
+| [ibm_kms_key_policies.standard_key_policy](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/kms_key_policies) | resource |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dual_auth_delete_enabled"></a> [dual\_auth\_delete\_enabled](#input\_dual\_auth\_delete\_enabled) | Set as true to enable Dual Auth Delete | `bool` | `false` | no |
+| <a name="input_endpoint_type"></a> [endpoint\_type](#input\_endpoint\_type) | Endpoint to use when creating the Key | `string` | `"public"` | no |
+| <a name="input_force_delete"></a> [force\_delete](#input\_force\_delete) | Set as true to enable forcing deletion even if key is in use | `bool` | `false` | no |
+| <a name="input_key_name"></a> [key\_name](#input\_key\_name) | Name to give the key | `string` | n/a | yes |
+| <a name="input_key_protect_instance_id"></a> [key\_protect\_instance\_id](#input\_key\_protect\_instance\_id) | ID of Key Protect Instance | `string` | n/a | yes |
+| <a name="input_key_protect_key_ring_id"></a> [key\_protect\_key\_ring\_id](#input\_key\_protect\_key\_ring\_id) | ID of Key Ring where key is assigned | `string` | `"default"` | no |
+| <a name="input_rotation_interval_month"></a> [rotation\_interval\_month](#input\_rotation\_interval\_month) | Interval in months to rotate the Key | `number` | `1` | no |
+| <a name="input_standard_key"></a> [standard\_key](#input\_standard\_key) | Set as true for Standard Key, false for Root Key | `bool` | `false` | no |
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_crn"></a> [crn](#output\_crn) | Key CRN |
+| <a name="output_dual_auth_delete"></a> [dual\_auth\_delete](#output\_dual\_auth\_delete) | Is Dual Auth Delete Enabled |
+| <a name="output_key_id"></a> [key\_id](#output\_key\_id) | Key ID |
+| <a name="output_rotation_interval_month"></a> [rotation\_interval\_month](#output\_rotation\_interval\_month) | Month Interval for Rotation |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 <!-- BEGIN CONTRIBUTING HOOK -->
 

examples/default/README.md

@@ -1,8 +1,10 @@
-# Default example
+# End to end example with default values
 
 An end-to-end example that uses the module's default variable values.
 This example uses the IBM Cloud terraform provider to:
  - Create a new resource group if one is not passed in.
- - Create a new VPC in the resource group and region provided.
+ - Create a new Key Protect instance in the Resource Group.
+ - Create a new Root Key in the Key Protect instance.
+ - Create a new Standard Key in the Key Protect instance.
 
 <!-- Add your example and link to it from the module's main readme file. -->

examples/default/main.tf

@@ -10,11 +10,26 @@ module "resource_group" {
 }
 
 ##############################################################################
-# VPC
+# Key Protect module
 ##############################################################################
 
-resource "ibm_is_vpc" "vpc" {
-  name           = "${var.prefix}-vpc"
-  resource_group = module.resource_group.resource_group_id
-  tags           = var.resource_tags
+module "key_protect_module" {
+  source            = "git::https://github.com/terraform-ibm-modules/terraform-ibm-key-protect.git?ref=v1.0.0"
+  key_protect_name  = "${var.prefix}-key-protect"
+  resource_group_id = module.resource_group.resource_group_id
+  region            = var.region
+  tags              = var.resource_tags
+}
+
+module "key_protect_root_key" {
+  source                  = "../.."
+  key_protect_instance_id = module.key_protect_module.key_protect_guid
+  key_name                = "${var.prefix}-root-key"
+}
+
+module "key_protect_standard_key" {
+  source                  = "../.."
+  key_protect_instance_id = module.key_protect_module.key_protect_guid
+  key_name                = "${var.prefix}-standard-key"
+  standard_key            = true
 }

examples/default/outputs.tf

@@ -2,9 +2,39 @@
 # Outputs
 ##############################################################################
 
-output "vpc_id" {
-  description = "ID of VPC created"
-  value       = ibm_is_vpc.vpc.id
+output "instance_id" {
+  description = "Key Protect Instance ID"
+  value       = module.key_protect_module.key_protect_guid
+}
+
+output "root_key_id" {
+  description = "Key Protect Key ID"
+  value       = module.key_protect_root_key.key_id
+}
+
+output "root_key_rotation_interval_month" {
+  description = "Month Interval for Rotation"
+  value       = module.key_protect_root_key.rotation_interval_month
+}
+
+output "root_key_dual_auth_delete_enabled" {
+  description = "Is Dual Auth Delete Enabled"
+  value       = module.key_protect_root_key.dual_auth_delete
+}
+
+output "standard_key_id" {
+  description = "Key Protect Key ID"
+  value       = module.key_protect_standard_key.key_id
+}
+
+output "standard_key_rotation_interval_month" {
+  description = "Month Interval for Rotation"
+  value       = module.key_protect_standard_key.rotation_interval_month
+}
+
+output "standard_key_dual_auth_delete_enabled" {
+  description = "Is Dual Auth Delete Enabled"
+  value       = module.key_protect_standard_key.dual_auth_delete
 }
 
 output "resource_group_name" {

examples/default/provider.tf

@@ -2,3 +2,18 @@ provider "ibm" {
   ibmcloud_api_key = var.ibmcloud_api_key
   region           = var.region
 }
+
+data "ibm_iam_auth_token" "token_data" {
+}
+
+provider "restapi" {
+  uri                   = "https:"
+  write_returns_object  = false
+  create_returns_object = false
+  debug                 = false # set to true to show detailed logs, but use carefully as it might print sensitive values.
+  headers = {
+    Authorization    = data.ibm_iam_auth_token.token_data.iam_access_token
+    Bluemix-Instance = module.key_protect_module.key_protect_guid
+    Content-Type     = "application/vnd.ibm.kms.policy+json"
+  }
+}

examples/default/variables.tf

@@ -13,7 +13,7 @@ variable "region" {
 variable "prefix" {
   type        = string
   description = "Prefix to append to all resources created by this example"
-  default     = "terraform"
+  default     = "kp-key"
 }
 
 variable "resource_group" {

examples/default/version.tf

@@ -6,5 +6,9 @@ terraform {
       source  = "IBM-Cloud/ibm"
       version = "1.45.0"
     }
+    restapi = {
+      source  = "Mastercard/restapi"
+      version = "1.17.0"
+    }
   }
 }

main.tf

@@ -1,3 +1,35 @@
-/********************************************************************
-This file is used to implement the ROOT module.
-*********************************************************************/
+##############################################################################
+# Key Protect Key module
+##############################################################################
+
+resource "ibm_kms_key" "key" {
+  instance_id   = var.key_protect_instance_id
+  key_name      = var.key_name
+  key_ring_id   = var.key_protect_key_ring_id
+  standard_key  = var.standard_key
+  endpoint_type = var.endpoint_type
+  force_delete  = var.force_delete
+}
+
+resource "ibm_kms_key_policies" "root_key_policy" {
+  count         = var.standard_key ? 0 : 1
+  endpoint_type = var.endpoint_type
+  instance_id   = var.key_protect_instance_id
+  key_id        = ibm_kms_key.key.key_id
+  rotation {
+    interval_month = var.rotation_interval_month
+  }
+  dual_auth_delete {
+    enabled = var.dual_auth_delete_enabled
+  }
+}
+
+resource "ibm_kms_key_policies" "standard_key_policy" {
+  count         = var.standard_key ? 1 : 0
+  endpoint_type = var.endpoint_type
+  instance_id   = var.key_protect_instance_id
+  key_id        = ibm_kms_key.key.key_id
+  dual_auth_delete {
+    enabled = var.dual_auth_delete_enabled
+  }
+}